On Thu, 03 Jan 2008 11:54:01 +0000 Stuart Auchterlonie <[EMAIL PROTECTED]> wrote:
> > > Phil Chambers wrote: > > I have a strange situation which I can't explain. > > > > I have an Internet-facing front-end server using exim with ClamAV. I also > > have > > the Sanesecurity signatures installed. Delivery is achieved by relaying to > > an > > Exchange server which is behind the firewall. > > > > Some users have re-direction set up so that the Exchange server passes > > messages > > back to the front-end server for onward transmission. Note, this is > > re-direction, not forwarding, so the messages just have an extra Received: > > line > > added to the header. > > > > Several times per day I see messages to some of these users being rejected > > by > > ClamAV as they are being received back from the Exchange server for > > re-direction! > > > > That means that the messages have been cleared by ClamAV as they arrive > > from > > the Internet but are then rejected a few seconds later when returning! So > > far > > they have all been Sanesecurity signatures which have caused this. > > > > One thought is that Exchange could possible be re-writing attachments, but > > that > > would mean that ClamAV is sensitive to the way in which attachments are > > encoded. > > > > Any ideas? > > > > It's possibly something along the lines of what we see occasionally with > SPF verification. > > Since the email is forwarded on from the exchange server, the email > still appears to be from the original user, but it is now coming from > your exchange server. > > In the SPF case your email server isn't an authorized server for the > originating domain, and so the email gets bounced due to an SPF > violation. > > Now if the sanesecurity sigs do some verification which relates the > sending domain with the server the email was sent from, this could > be the problem you are seeing. > > > Stuart I was not aware that there was any way to get clamd to do anything other than check the content of messages. The Sanesecurity signatures are just a set of phishing and scam signatures for ClamAV which are used in addition to the standard ClamAV ones. Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for example, how do I look up the signature that clamd is using for that? Phil. --------------------------------------- Phil Chambers ([EMAIL PROTECTED]) University of Exeter _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
